Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC] IAM Users #74

Open
rehanvdm opened this issue Nov 14, 2024 · 2 comments
Open

[RFC] IAM Users #74

rehanvdm opened this issue Nov 14, 2024 · 2 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@rehanvdm
Copy link
Collaborator

Placeholder

@rehanvdm rehanvdm added enhancement New feature or request good first issue Good for newcomers labels Nov 14, 2024
@farbodahm
Copy link
Collaborator

RFC: IAM User Management in DLZ

Overview

This RFC outlines the approach for managing IAM users within the DLZ using CDK. The goal is to ensure adherence to the Principle of Least Privilege, providing only the permissions required for specific tasks. The workload teams are not responsible for managing IAM users, and all user-related actions are centralized within the DLZ.


IAM User Management Responsibility Matrix

DLZ:

  • Creation and management of IAM users and groups.
  • Definition and enforcement of permission sets and user groups.
  • Assignment of specific permissions to user groups (e.g., access to certain S3 buckets).
  • Implementation of restrictions to minimize security risks.

Workload Teams:

  • No responsibility for IAM user or permission management.

Key Guidelines for IAM User Creation and Management

1. User Creation

  • IAM users will be created centrally in the DLZ.
  • User details (e.g., userName, name) will be defined within the iamUsers configuration.
  • No direct AWS console access for users unless explicitly required.

2. User Group and Permission Sets

  • Permission sets will define access at a granular level:
    • Administrator Access: Full access to AWS services (use cautiously).
    • Restricted Access (e.g., S3): Specific permissions for limited resources.

3. Principle of Least Privilege

  • Users will only be granted permissions required for their specific tasks:
    • Restrict S3 access to necessary buckets or objects using specific ARNs.
    • Limit access to specific resources such as DynamoDB tables, Lambda functions, etc.

4. Security Controls

  • Rotate user credentials regularly.
  • Audit IAM roles and user permissions periodically to remove unused or unnecessary permissions.

Security Concerns and Mitigation

1. Credential Leakage

  • Risk: Compromised access keys could expose sensitive resources.
  • Mitigation:
    • Rotate credentials periodically.
    • Monitor API usage for suspicious activities.

2. Resource Misuse

  • Risk: Users could inadvertently or maliciously misuse their permissions.
  • Mitigation:
    • Monitor CloudTrail logs for unusual activity.
    • Define strict policies with deny rules for sensitive actions.

Code Implementation

The following configuration demonstrates the implementation of IAM users and groups in DLZ configuration file:

iamUsers: {
    users: [
        { userName: 'user1', name: 'User1' },
        { userName: 'user2', name: 'User2' },
    ],
    userGroups: [
        {
            name: 'admin-access-permission-set',
            managedPolicyArns: ['arn:aws:iam::aws:policy/AdministratorAccess'],
        },
        {
            name: 's3-only-access',
            inlinePolicyStatements: [
                new iam.PolicyStatement({
                    actions: ['s3:ListBucket', 's3:GetObject'],
                    resources: [
                        'arn:aws:s3:::specific-bucket',
                        'arn:aws:s3:::specific-bucket/*',
                    ],
                }),
            ],
        },
    ],
    userGroupAssociation: [
        {
            name: 'admin-access-group',
            userNames: ['User1'],
            permissionSetName: 'admin-access-permission-set',
        },
        {
            name: 's3-access-group',
            userNames: ['User2'],
            permissionSetName: 's3-only-access',
        },
    ],
}

Conclusion

By centralizing IAM user management and applying strict restrictions, the DLZ ensures compliance with best practices while maintaining robust security. All IAM-related configurations will adhere to the principles outlined in this RFC to minimize risks and ensure proper governance.

@rehanvdm
Copy link
Collaborator Author

Thanks.

Actually, I think we should give them the option to define policies and roles while we are at it. So I'm proposing a structure like this:

    iam: {
      accountAlias: "datachef",
      passwordPolicy: ...
      policies: [ PolicyProps ]
      roles: [ RoleProps ]
      users: [
        UserProps
      ]
      userGroups: [ {
        ...GroupProps
        users: [ string ] // loosely typed, match the name of the users prop
      } ]
    }

The resources should be created in this order: policies, roles, users, userGroups so that if a role references a policy, that policy would have been created. So we need to add dependencies between these.

Then we should also create a Defaults.iamPasswordPolicy() function.

You had a good point about compliance. There are Security Hub controls/Config rules that we should revisit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

2 participants